The instructions on this page apply to the cloud solution of Enterprise Studio. For on-premise solution instructions, please refer to Configuring user synchronization and authentication with a SAML 2.0 based identity provider.
If you encounter any issues with respect to your SAML 2.0 configuration, please
The Team Server and HoriZZon web portal (if applicable) support single sign-on (SSO) using a SAML 2.0 Identity Provider. To correctly configure your SAML 2.0 Identity Provider to integrate with your hosted environment via SAML 2.0, please follow the steps below. Please note that these steps are generic and will be specific to your Identity Provider.
To initiate the SAML 2.0 configuration process for your hosted environment, first contact BiZZdesign Support.
On this page:
Please note that the Team Server does not have the ability to generate the Service Provider Metadata in an XML formatted file. Despite this limitation, in typical SAML 2.0 setups, the Identity Provider can create and configure the application manually.
Please also note that BiZZdesign currently only supports SP-initiated SSO SAML 2.0 authentication.
<customer>: This value is unique to your hosted environment. The full Callback URL will be provided to you by BiZZdesign Support.
<customer>: This value is unique to your hosted environment. The full Service Provider Entity ID will be provided to you by BiZZdesign Support.
In addition to the assertion attributes listed in point 4, the NameID (also known as the nameidentifier) must be included in the SAML subject, with urn format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified . The attribute value for the NameID should be set to the E-mail address, as is in the case of the email attribute. The reason for this is that the NameID value updates the username for the user's Team Server user profile , which itself is used as a key for a user's local (personal) storage in Enterprise Studio Online. In non-SSO configurations, the username and email are the same, and so this configuration should be preserved when enabling SAML authentication.
|When existing users switch to signing in using SAML it is advised to use the NameID attribute to be the E-mail address. If you use a different value, these users will lose access to the model packages stored in the personal storage in Enterprise Studio Online.|
For the SingleSignOnService and SingleLogoutService bindings, please send urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.
The BiZZdesign software implements a maximum login time, as defined in the SAML 2.0 Session Token Profile specification, of one hour. The login time enforces that users must have signed in with the Identity Provider within the last hour for the SAML assertion to be accepted. Depending on your settings, this maximum authentication time may be too short for your Identity Provider. If your Identity Provider uses a longer maximum login time, please include that in your support ticket when contacting BiZZdesign.
BiZZdesign Support will configure the Team Server to act as the Service Provider. When contacting BiZZdesign Support, please include the following items in your ticket:
Optional: Configure the Service Provider Metadata encryption certificate. This can be provided by BiZZdesign Support after the Team Server has been configured to act as a Service Provider, or beforehand as well. This is entirely optional and based on the security policies of your organization.
It is often helpful to review the SAML Response when troubleshooting an issue with SAML 2.0. Refer to the guide below, and include the SAML response when submitting a ticket to BiZZdesign Support:
Users are provisioned just-in-time, meaning that they are added as user to the Team Server the moment they first sign in, provided that they have been granted access.
Users do not receive an e-mail notification (like manually added users do), and do not need to register with the Team Server to get access. Their user accounts are immediately ready for signing in and can be used directly for invitations to model packages and projects. For working with model packages and projects users must have been assigned the (Lead) Designer role.
Group membership is also registered just-in-time. Users are added and removed from groups the moment they sign in to the Team Server.
The Team Server's service provider has preconfigured values for some settings that conflict with certain identity providers (including but not limited to ADFS 2.0/3.0 and Azure SAML). If you want to have these settings configured, please contact BiZZdesign Support.
This setting controls whether or not the Service Provider should send the NameQualifer. By default, the Service Provider is configured to include the NameQualifier in the AuthnRequest. Some Identity Providers do not accept NameQualifer when using nameid format "entity (i.e. urn:oasis:names:tc:SAML:2.0:nameid-format:entity), and so NameQualifier must be disabled in this case. Valid values are true (the default) and false (to disable).
This setting controls the Service Provider's session timeout value, which by default is set to 1 hour. Some Identity Providers have higher session timeout values, and so it may be necessary to change this setting's value to align with your Identity Provider's session timeout value. The setting is specified in seconds, so a valid value for 8 hours session timeout would be 28800.